RFR: 8260693: Provide the support for specifying a signer in keytool -genkeypair [v4]
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Fri Apr 2 04:06:35 UTC 2021
On Fri, 2 Apr 2021 01:56:15 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Maybe we don't need to resolve it in this code change. If we look carefully at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2 is using the signer's SKID in 10.1 as its own SKID and it has no AKID. Currently, keytool will generate a new SKID and use signer's SKID as AKID. If we really want to generate a certificate that's identical to the one in the RFC, we'll need a way to tell keytool to omit the AKID (something like "-ext akid=none").
Better to use AKID for certification path building.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3281
More information about the security-dev
mailing list